Add support for decrypting IEEE 802.11 WPA3-Personal / SAE traffic.
SAE uses AES encryption but a different key derivation function (KDF)
making Wireshark fail to decrypt such captures. Also both KDF and
decryption method is determined based only on EAPOL key description
version. This is not enough to figure out that SAE is being used.
Implement the alternative KDF needed to derive valid PTK. Also
implement a function to parse pairwise + group cipher suites and
auth key management type from RSNE tag. Using this new function
together with a number of new cipher and AKM lookup functions
correct KDF for SAE can be selected.
Bug: 15621
Change-Id: I8f6c917af1c9642c276a244943dd35f850ee3757
Reviewed-on: https://code.wireshark.org/review/32485
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
If we go over 31, we get an invalid shift. It's due to malformed
packets. Add an expert info and exit the loop.
Bug: 14770
Change-Id: Icc17831ee23395ed2b0d414af09d86d1d1a6444c
Reviewed-on: https://code.wireshark.org/review/32316
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add dissection of MESH specific bits in QoS control field (bit 8-10).
Use presence of Mesh Control field to determine if this is a MESH
frame.
Bug: 15522
Change-Id: I23ccf0f2ba4f6ae649b2932183c69e886cb4d22a
Reviewed-on: https://code.wireshark.org/review/32084
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Fix regression introduced by '802.11: Dissect locally originated mesh
frames' that prevent to include dissection for Mesh Control field when
QoS Control field is present in the frame.
Bug: 15521
Change-Id: Idb6b0591c245fc5976f03df6e163fc9072dae193
Reviewed-on: https://code.wireshark.org/review/32083
Reviewed-by: cedric izoard <cedric.izoard@ceva-dsp.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Dissector supports only type 1: AP Name.
Bug: 15415
Change-Id: I64b248137fd2b895b8a0e7c88e48096aad0448d8
Reviewed-on: https://code.wireshark.org/review/31476
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Content of Mesh Peering Management element depends of the type of
self-protected action frame it is included in.
This type was currently wrongly read from the element itself.
To know the type of self-protected action frame when parsing Mesh
Peering Management element it is saved in a new field of the
association_sanity_check_t structure: ampe_frame (AMPE stands for
Authenticated mesh peering exchange).
This field is updated when parsing a self-protected action frame that
is part of the AMPE (i.e. Mesh Peering OPEN, CONFIRM or CLOSE)
Bug: 15499
Change-Id: Ibad4fd77d43542ef867ac2a8ad9f186a1dd6c0f0
Reviewed-on: https://code.wireshark.org/review/32025
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
MIC element is used in Authenticated Mesh Peering Exchange (AMPE)
frames.
The content of the frame after the MIC element is encrypted and
authenticated so don't try to parse it as normal 802.11 element.
Bug: 15499
Change-Id: Iaede048e1c30c5f980e98afb87b099bca531d3d0
Depends-On: I20e7f1e5779934e19464ad86666bfec8ded939e0
Reviewed-on: https://code.wireshark.org/review/32027
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Although the element is simply called MIC it is only used during a
mesh peering exchange (at least as of 802.11-2016) that's why I
associated it to field wlan.mesh.mic
Bug: 15499
Change-Id: I20e7f1e5779934e19464ad86666bfec8ded939e0
Depens-On: Ibad4fd77d43542ef867ac2a8ad9f186a1dd6c0f0
Reviewed-on: https://code.wireshark.org/review/32026
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
It can be annoying to have to manually calculate the number
of tones based on the global bandwidth and the RU allocation.
Do that in the dissector.
Change-Id: I42eb403a91ebacc4fcfaa3e8c3e793a055d2b9f8
Reviewed-on: https://code.wireshark.org/review/31559
Reviewed-by: Emmanuel Grumbach <egrumbach@gmail.com>
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
The TSF values are "normal" numbers, not a bitmap
or anything like that.
Moreover, we often need to add or substract values
from the TSF of a beacon. Change it to be printed in
decimal to make people's life easier.
Change-Id: I01505395fb10538b204a87dd864ac04e29b821e0
Reviewed-on: https://code.wireshark.org/review/31544
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The RU Allocation is really a decimal number and the
standard uses it as a decimal number. It is not a bitmap.
Print it in decimal.
Change-Id: I2f8ff9798aa1af855ad3c8b0a26704282fe18189
Reviewed-on: https://code.wireshark.org/review/31315
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This allows taps that can fail to report an error and fail; a failed
tap's packet routine won't be called again, so they don't have to keep
track of whether they've failed themselves.
We make the return value from the packet routine an enum.
Don't have a separate type for the per-packet routine for "follow" taps;
they're expected to act like tap packet routines, so just use the type
for tap packet routines.
One tap packet routine returned -1; that's not a valid return value, and
wasn't one before this change (the return value was a boolean), so
presume the intent was "don't redraw".
Another tap routine's early return, without doing any work, returned
TRUE; this is presumably an error (no work done, no need to redraw), so
presumably it should be "don't redraw".
Clean up some white space while we're at it.
Change-Id: Ia7d2b717b2cace4b13c2b886e699aa4d79cc82c8
Reviewed-on: https://code.wireshark.org/review/31283
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Make the time stamp precision a 4-bit bitfield, so, when combined with
the other bitfields, we have 32 bits. That means we put the flags at
the same structure level as the time stamp precision, so they can be
combined; that gets rid of an extra "flags." for references to the flags.
Put the two pointers next to each other, and after a multiple of 8 bytes
worth of other fields, so that there's no padding before or between them.
It's still not down to 64 bytes, which is the next lower power of 2, so
there's more work to do.
Change-Id: I6f3e9d9f6f48137bbee8f100c152d2c42adb8fbe
Reviewed-on: https://code.wireshark.org/review/31213
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This fix prevents that a BoundsError is thrown in function try_decrypt for
packets with captured length less than packet length. Otherwise, some data
is not dissected.
Change-Id: I0dcd89b85b959f5712ff58b184bfa2e064746d0b
Reviewed-on: https://code.wireshark.org/review/31026
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Type of field wlan.ext_tag.ess_report.ess_info.thresh
must be FT_INT8 instead of FT_UINT8.
Change-Id: Icd1a121832d6a660550023a91d0b732385f68b60
Reviewed-on: https://code.wireshark.org/review/31016
Petri-Dish: Graham Bloice <graham.bloice@trihedral.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
1. Correctly print out the AP Tx Power level.
2. The A-Control UL MU Response field was renamed to the TR Response field.
3. Handle padding correctly in the A-Control field.
Change-Id: I33000aa28b9e00ab97ca30d53907685e302c49c2
Reviewed-on: https://code.wireshark.org/review/30918
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Encrypted packets were decrypted two times. One time to scan for
new keys. If no keys were found the decrypted data was simply
discarded. Then later on the packet was decrypted again for
dissection.
Avoid decrypting packets two times by storing the result from first
decryption if no key was found. Skip the second attempt.
Note though that in the special case where a key was actually found
inside an encrypted packet the decryption will still be performed
twice. First time decrypt, discover the key, and return the EAPOL
keydata. Second time decrypt and return the decrypted frame.
Change-Id: I1acd0060d4e1f351fb15070f8d7aa78c0035ce39
Reviewed-on: https://code.wireshark.org/review/30568
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Decrypt EAPOL keydata information and have it dissected with the
ieee80211 dissector.
This is achieved by letting the Dot11Decrypt engine retrieve the EAPOL
keydata decrypted while extracting the GTK during 4-way handshake.
The ieee80211 dissector then stores the decrypted data in packet proto
data so that the wlan_rsna_eapol subdissector can retrieve it for
dissection.
Change-Id: I2145f47396cf3261b40e623fddc9ed06b3d7e72b
Reviewed-on: https://code.wireshark.org/review/30530
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This is only the new IEs and one new Extension Frame type
Change-Id: If55fbf205735f657352c8f21b22fa0858ae183f0
Reviewed-on: https://code.wireshark.org/review/30519
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fix up some comments while we're at it.
Bug: 15203
Change-Id: I1d8ab71f618a74bbf0625eb89eb836c48200b5dd
Reviewed-on: https://code.wireshark.org/review/30401
Reviewed-by: Guy Harris <guy@alum.mit.edu>
MIC length is determined automatically for OWE and multiple MIC lengths per session are supported.
Bug: 15215
Change-Id: Ie655fbd3fdc8555df430d4dc8a0081e169150c28
Reviewed-on: https://code.wireshark.org/review/30246
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
- Include some new tags from 802.11ai
- Support authentication messages using FILS authentication
- Determine MIC length automatically
Bug: 15210
Change-Id: I21a6c8df0a4f0429f8d900f32f0e95ace126d4e6
Reviewed-on: https://code.wireshark.org/review/30232
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
- Groups in the SAE exchange are named
- The SAE message type is included explicitly (Commit or Confirm)
Bug: 15197
Change-Id: I8d95dd1603bbb8f46675ec66d60fd0b187787803
Reviewed-on: https://code.wireshark.org/review/30127
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add new value (used by WPA3)
Issue reported by Philipp Ebbecke
Bug: 15168
Change-Id: Iff4a7332dfc57226b191ec34319f0b7a78e30ede
Reviewed-on: https://code.wireshark.org/review/30040
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Unregistered etts will lead to an assertion/abort when used.
Change-Id: I0322559358b1e286666322fef093e5b5123253a1
Reviewed-on: https://code.wireshark.org/review/30018
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
and following packet order for field
Change-Id: I724f3d87e02d182021e53eb9f78644420843e593
Reviewed-on: https://code.wireshark.org/review/29936
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For Data frames with ToDs=1|FromDS=1 and a Frame body containing A-MSDU,
the Addr3 and Addr4 fields are not Destination/Source addresses (DA/SA),
but BSSID/BSSID. Use the RA/TA fields for the Hw Dest/Src columns and
add another BSSID field for Addr4 (should match Addr3, but in theory the
wire format could have different values).
While at it, fix the A-MSDU case for other cases to match 802.11-2016
Table 9-26 Address field contents. The "Short A-MSDU" case as used by
DNG STAs are not handled here though.
Tested against a capture with MSDU frames (all but ToDS=1|FromDS=1) and
the test case from the linked bug.
Bug: 15144
Change-Id: Ic832d7cd7b8e05a1408353cb79c07efed0fb19cc
Reviewed-on: https://code.wireshark.org/review/29935
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add the new elements introduced for OWE:
- OWE DH Parameter in the association request/response as specified in RFC 8110
- OWE Transition Mode element as specified in "Opportunistic Wireless Encryption Specification version 1.0" by the WiFi Alliance
Bug: 15146
Change-Id: I9b6c6de459899ce28c909bf79bdde431e50679c9
Reviewed-on: https://code.wireshark.org/review/29850
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Mixing 32-bit and 64-bit value_strings could lead to a crash.
Change-Id: Iedfae66103046a478ce5198416247d256dc1840e
Fixes: v2.9.0rc0-1769-gad6eb33684 ("WIP:ieee80211.c: Add support for D3.0 of 802.11ax")
Reviewed-on: https://code.wireshark.org/review/29749
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Some of the bits were parsed as a bit of a WORD, and others as
a bit of BYTE leading to a bug in the display.
Bug: 15133
Change-Id: Ie6877c4a4a79fcc802afec49436370cf22a6bfae
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Reviewed-on: https://code.wireshark.org/review/29633
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The ieee80211ax D3.0 support got merged accidentally with some issues.
This fixes the remainder of those issues.
Change-Id: I2a3a427e04cb1dca076fd761458de92d4d5e0df2
Reviewed-on: https://code.wireshark.org/review/29602
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This changeset merges in the changes that have been tested in a resent
test event at the WFA. It will not dissect older D2.x packet captures.
Change-Id: Id38a27a61a6a2a083575448e5c59a8e190827e6d
Reviewed-on: https://code.wireshark.org/review/29512
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Srsly, you're fetching a *two-byte* value, might as well say "2" -
either sizeof(guint16) is guaranteed to be 2, in which case you might as
well just use 2, or it's *not* guaranteed to be 2, in which case you
*have* to use 2, because a value other than 2 is invalid.
Change-Id: I9da8dc66d3a77e98cb0a0a5501655594c509eb87
Reviewed-on: https://code.wireshark.org/review/29585
Reviewed-by: Guy Harris <guy@alum.mit.edu>
... Use of an unregistered ett leads to an abort.
Inspired by I3ee2f557ace1643dfba5a978add66c3c7ba7d895. Some day I should get
the ett_ registration checking code in checkAPIs ready for prime time...
Change-Id: I69162d4bcec571e6a517a107ac365aa78bfe8d25
Reviewed-on: https://code.wireshark.org/review/29474
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In some cases we are including the FCS in the next TVB which can screw
up dissection.
Change-Id: Ie721a9ca169828f99d2aef4bd1e1762d06a14070
Reviewed-on: https://code.wireshark.org/review/28848
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
These elements were folded into 802.11-2012 and thus are also in
802.11-2016.
The code was contributed by George Baltatanu with some minor changes
by me.
Change-Id: Ieea61dea9d333a43dded16d7634c7fc325374e8e
Reviewed-on: https://code.wireshark.org/review/29283
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It is still not very clear how to parse the element, so
focus only on the Unicast TWT for now.
This should be useful for the short term.
Ping-Bug: 15009
Change-Id: Ia589b170966e329ce051845553841a9fb80fcd5f
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Reviewed-on: https://code.wireshark.org/review/28857
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Mikael Kanstrup